Securing Mobile Devices and Their Data

Not long ago, the most common item stolen on campus was a bicycle. Today, as students and staff carry all manner of expensive mobile devices--containing all manner of sensitive information--campus crime has taken on a distinctly high-tech flavor. Tablets and smartphones are now among the easiest and most valuable targets at school.

As universities examine ways to safeguard these assets, it's important they recognize that their existing security policies are probably not adequate. “Campus IT must take the time to think about its mobile device security, and get a policy infrastructure set up before it deploys,” advised Ojas Rege, VP of strategy for MobileIron, a company specializing in mobile security management. “Don’t assume your laptop-security plan will translate to mobile. The mobile device is much more dynamic. Traditional IT security focuses on lockdown. Mobile security focuses on the user experience, and requires a new set of skills and capabilities.”

The typical higher education mobile deployment often involves a blend of devices--some owned by the organization and others owned by students. This can be challenging from an IT perspective, since the level of management will vary, based upon who owns the devices. Stephen Midgley, VP of global marketing for Absolute Software, calls this a “blended reality,” noting that it’s very similar to what is occurring on the corporate side, where employees bring their personal devices to work. The result of the BYOD (Bring Your Own Device) culture is that IT must manage and secure a variety of devices, including many operating systems.

For many campus IT departments, though, the challenge can be daunting. “The education industry sector often lags behind because of the amount of investment needed for mobile device management and security,” said Neil Florio, VP of marketing for Fiberlink. “A lot of schools have small IT shops, perhaps not on the leading edge, but they’re catching up in this area.”

So how do IT administrators secure, control, and manage mobile devices? Several companies now offer mobile device management solutions that give IT centralized control, informing administrators not only of a device's location, but also empowering them to update security protocols on the fly or even delete applications and information.

The most obvious problem facing mobile devices is physical theft. Thanks to GPS, however, most security solutions can help administrators locate a device. But not everyone believes institutions should be tracking the location of student devices.

“It hits the privacy boundary,” explained Rege. “The student may have personal and school information. Our job is to protect the school information.” He would prefer to see schools tracking only those “physical assets” that are truly high value.

A more nuanced approach may be to control how and where mobile devices can be used. “You can secure the device based on its location,” said Florio of a feature of Fiberlink's solution that allows administrators to enable certain applications and features only on campus, and, in the case of university-owned equipment, disable the device once it goes off campus. “This ‘geofencing’ can also locate a device if it’s lost or stolen,” added Florio. “It’s a more advanced and sophisticated context-based security system.”

Each device that a school wants to protect needs to be enrolled in the chosen security system. As part of a typical installation, for example, this might include creating a PIN, deploying a virtual private network (VPN) and encryption, and imposing a blacklist of applications, which prevents the execution of undesirable programs.

For additional security, many schools deploy advanced customized applications, either developed in-house or purchased as part of a security solution. With these, administrators can remotely remove applications, wipe school data, authenticate users, and add layers of security for school and student information, such as social security and health records.

The ability to control or remove data is becoming more and more critical as mobile devices find their way into a broad spectrum of campus activities. “The higher ed space seems to want to implement [mobile] this year,” continued Florio, “and many are deploying iPads.” As an example, he cited one large university that is issuing iPads to its football coaches, inspired perhaps by the fact that iPads are already in use in the NFL. Coaches can download their playbooks to the device, secure them, and update them every week. If playbooks are lost or stolen, IT can remotely remove them from the device.

For administrators looking to implement a mobile security strategy on their own campuses, Rege advises focusing on three steps:

Safeguard the network. This includes security of transmission, a secure on-campus network, or VPN off campus. IT can configure and secure on- and off-campus networks through certificates, which automate the login process and make it secure.

Safeguard information and documents. All sensitive data on the device need to be encrypted. Put in place a policy that, if the encryption is turned off, you can pull data off the device.

Safeguard the applications. For schools writing campus-oriented apps, make sure the app manages data securely and that you can delete the app, if necessary. If the iPad or device is university-owned, you need to blacklist/protect against any “rogue apps.”

Implementing a Vendor SolutionLast year, Thomas College (ME) purchased 30 iPads, organized them into two groups (library sign-out and staff), and secured them with a mobile device management (MDM) system from Absolute Software. According to Christopher Rhoda, VP for information services and CIO, the new system enables him to:

Keep hardware/software inventory of all iPads

Organize iPads into groups for library and staff

Push different iPad configurations for each group

Organize/advertise a list of apps for each group

Provide location services in case the device is lost or stolen

Configure MDM (mobile device management) profile to:

Automatically add WiFi settings

Push out a customized web clip for the college website

Password-protect profiles (to prevent removal of policy/restrictions)

Automatically set restrictions

Rhoda was able to deploy the security system in just a few days, and has found maintenance to be easy, “with new versions of the software providing updated features shortly after new iOS versions are released.” The cost was a “fairly modest” add-on, with the side benefit of also allowing him to secure and manage Apple laptops.